The threat group Handala, among the most active and aggressive of the pro-Iranian cyber gangs that have mobilized since the United States and Israel began a bombing campaign against the country a month ago, hacked into the personal Gmail account of FBI Director Kash Patel.

The group took responsibility for the hack and posted photos of Patel and a link to documents – including what appeared to be his resume – the bad actors said were from his email account. The hackers wrote on their website that the FBI director “will now find his name among the list of successfully hacked victims,” according to Reuters, which first reported the story.

The Justice Department (DOJ) confirmed the hack to the news organization and said the documents posted online appeared to be legitimate.

The intrusion into Patel’s Gmail account comes a week after the FBI said March 19 that it had seized websites used by Handala for leaking stolen data. In a notice posted on the sites, the FBI wrote that they had determined the domains were “used to conduct, facilitate, or support malicious cyber activities on behalf of or in coordination with a foreign state actor. These activities may include unauthorized network intrusions, infrastructure targeting, or other violations of United States law.”

The domain that was used to run the hack of Patel’s account was registered the same day the FBI announced the domain seizures, according to CBS News.

Handala Responds to FBI Action

In a post online, Handala said the hack was in response to the FBI’s actions, writing that “we decided to respond to this ridiculous show in a way that will be remembered forever.”

“The so-called ‘impenetrable’ systems of the FBI were brought to their knees within hours by our team,” the hackers added.

Handala on its Telegram channel had confirmed the websites had been seized and that the “act of digital aggression only serves to highlight the fear and anxiety our actions have instilled in the hearts of those who oppress and deceive. Although they attempt to erase the evidence and hide their crimes through censorship and intimidation, their actions only confirm the impact of our mission.”

Down But Not Out

After the domains were seized, threat intelligence experts warned that while the FBI’s actions was a victory, it was temporary, with Tammy Harper, senior threat intelligence researcher for Flare, writing that “for this kind of actor, infrastructure is replaceable. The persona is what holds it together. As long as they can keep accessing targets and putting material out somewhere, the model still works. … Based on how they’ve operated so far, it’s unlikely to slow them down for long.”

A day after the seizure, the FBI warned that bad actors linked to Iran’s Ministry of Intelligence and Security (MOIS) – Handala is included in that group – were using Telegram as a command-and-control (C2) infrastructure to push malware targeting Iranian dissidents, journalists who appear be against the regime, and other opposition groups. The malware is used to collect intelligence, leak data, and harm the reputations of those targeted.

Pro-Iranian Groups Respond to Bombing

The cyberwar in the conflict started almost immediately after the bombing started February 28, with reports of dozens of pro-Iranian hacktivists mobilizing online to start striking back at the United States, Israel, and Middle East countries seen as being helpful to or sympathetic of the aggressors. Handala – once seen as such a hacktivist group but that more recently has been linked to Iran’s MOIS and Islamic Revolutionary Guard Corps (IRGC).

Handala made headlines with its March 11 data-wiper attack against U.S.-based global medical tech firm Stryker that reportedly resulted in more than 200,000 corporate systems, from mobile devices to servers, having their data erased. Other active Iranian groups include 313 Team – also known as Cyber-Islamic Resistance in Iraq – responsible for a range of distributed denial-of-service (DDoS) against organizations in Saudi Arabia, Spain, and Portugal, as well as Interpol and Europol, according to researchers with Flashpoint.

The security firm, which has been sending almost daily updates about both the cyber and kinetic warfare going on in the Middle East, also called out Cyber Fattah Team and The Elite Unit.

Palo Alto Networks’ Unit 42 analysts wrote this week of an increased risk of wiper attacks and investigated phishing lures with Iran war themes, finding 7,381 such phishing URLs spanning 1,881 unique hostnames.

“Recent threat activity demonstrates a widespread wave of financial fraud, credential harvesting and illicit content distribution targeting both enterprise and consumer sectors,” they wrote. “Threat actors are heavily relying on the impersonation of highly trusted entities including major telecommunications providers, national airlines, law enforcement and critical energy corporations, to deceive victims.”

The Cyber Side of Warfare

The volume and reach of Iran’s cyber efforts eclipse those used by both sides in the Russia-Ukraine conflict, and it illustrates how cyberwarfare will continue to be incorporated into kinetic fighting in the future. It’s something businesses are beginning to understand, according to the World Economic Forum (WEF).

“The ongoing conflict in the Middle East is a stark reminder that modern warfare is no longer confined to physical battlefields,” the organization wrote this week. “Alongside missiles and drones, the conflict is being waged across cyberspace, with governments and state-backed hacking groups going on the digital offensive. This includes the targeting of businesses and critical infrastructure networks located far beyond the region.”

Geopolitical tensions will continue to raise the specter of cyberattacks and stress the need for stronger resilience, the WEF wrote. Business leaders are taking heed.

The WEF’s Global Cybersecurity Outlook 2026 found that 91% of the largest organizations are changing their cybersecurity strategies due to geopolitical volatility, “a striking indicator of how deeply global tensions are influencing digital risk.”